PART 1 – GENERIC PRIVACY NOTICE
Durham University’s responsibilities under data protection legislation include the duty to ensure that we provide individuals with information about how we process personal data. We do this in a number of ways, one of which is the publication of privacy notices. Our privacy notices comprise two parts – a generic part and a part tailored to the specific processing activity being undertaken.
The Data Controller is Durham University. If you would like more information about how the University uses your personal data, please see the University’s Information Governance webpages or contact:
Information Governance Unit Telephone: (0191 33) 46246 or 46103 E-mail: firstname.lastname@example.org
Data Protection Officer
The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact the Data Protection Officer:
Jennifer Sewel University Secretary
Telephone: (0191 33) 46144
The University keeps personal data for as long as it is needed for the purpose for which it was originally collected. Most of these time periods are set out in the University Records Retention Schedule.
Your rights in relation to your personal data Privacy notices and/or consentYou have the right to be provided with information about how and why we process your personal data. Where you have the choice to determine how your personal data will be used, we will ask you for consent. Where you do not have a choice (for example, where we have a legal obligation to process the personal data), we will provide you with a privacy notice. A privacy notice is a verbal or written statement that explains how we use personal data.
Whenever you give your consent for the processing of your personal data, you receive the right to withdraw that consent at any time. Where withdrawal of consent will have an impact on the services we are able to provide, this will be explained to you, so that you can determine whether it is the right decision for you.
Accessing your personal data
You have the right to be told whether we are processing your personal data and, if so, to be given a copy of it. This is known as the right of subject access. You can find out more about this right on the University’s Subject Access Requests webpage.
Right to rectification
If you believe that personal data we hold about you is inaccurate, please contact us and we will investigate. You can also request that we complete any incomplete data.
Once we have determined what we are going to do, we will contact you to let you know.
Right to erasure
You can ask us to erase your personal data in any of the following circumstances:
We no longer need the personal data for the purpose it was originally collectedYou withdraw your consent and there is no other legal basis for the processingYou object to the processing and there are no overriding legitimate grounds for the processingThe personal data have been unlawfully processedThe personal data have to be erased for compliance with a legal obligationThe personal data have been collected in relation to the offer of information society services (information society services are online services such as banking or social media sites).Once we have determined whether we will erase the personal data, we will contact you to let you know.
Right to restriction of processing
You can ask us to restrict the processing of your personal data in the following circumstances:
You believe that the data is inaccurate and you want us to restrict processing until we determine whether it is indeed inaccurateThe processing is unlawful and you want us to restrict processing rather than erase itWe no longer need the data for the purpose we originally collected it but you need it in order to establish, exercise or defend a legal claim andYou have objected to the processing and you want us to restrict processing until we determine whether our legitimate interests in processing the data override your objection.Once we have determined how we propose to restrict processing of the data, we will contact you to discuss and, where possible, agree this with you.
Making a complaint
If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try and put things right. If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner’s Office (ICO). The ICO can be contacted at:
Information Commissioner's Office Wycliffe House
Water Lane Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: Information Commissioner’s Office
PART 2 – PRIVACY NOTICE FOR EMPLOYERS WORKING WITH CAREERS & ENTERPRISE
This section of the Privacy Notice provides you with the privacy information that you need to know before you provide personal data to Careers & Enterprise for the particular purpose(s) stated below.
Type(s) of personal data collected and held by Careers & Enterprise and method of collection:
When registering with our online vacancy service or booking to attend a careers event, we hold your name, job title, company address, telephone number and email address. This is collected from your registration or booking form.
When processing your personal data the University relies on Consent as the lawful basis.
How personal data is stored by Careers & Enterprise:
Personal data of employers is stored by the Careers & Enterprise Centre in a propriety cloud-based database supplied by GTi Media Ltd. called TARGETconnect (TC) under a contract for service. TC is hosted by GTi Media Ltd. on their servers located within the EEA. Access to personal data is restricted to the staff in the Careers & Enterprise Centre and any other member of staff who have a requirement to maintain a relationship with you, and is controlled through password protection and user security profiles.
Personal data of employers booking to attend recruitment events will also be stored within the University’s online Content Management System and internal spreadsheets, with access restricted to staff in the Careers & Enterprise Centre.
All University employees that are given access to personal data receive mandatory Data Protection training and have a contractual responsibility to maintain confidentiality.
How personal data is processed by Careers & Enterprise:
Personal data is processed by Careers & Enterprise to contact employers regarding vacancies and careers events. Careers events may be those booked by the employer, or future events which Careers & Enterprise may wish the employer to attend.
Who Careers & Enterprise shares personal data with:
Careers & Enterprise may share personal data internally within the University if required for the organisation or running of events, or if Careers & Enterprise feel the employer may benefit from contact with other departments regarding careers opportunities for Durham University students.
How long personal data is held by Careers & Enterprise:
Personal data will be held on the online vacancy advertising service (TC) for as long as the individual continues to make use of the service. This data will be reviewed annually so that any individual who has not logged into the system for more than three years will have their personal data removed.
Personal data regarding careers event enquiries will be held internally within Careers & Enterprise for a period of three years, after which booking details will be deleted.
Personal data regarding careers events bookings will be held internally within Careers & Enterprise for a period of six years, after which booking details will be anonymised.
Records will be kept in line with the retention periods above or, if prior to this, you tell us that you no longer wish your account to exist. In this instance the Careers & Enterprise Centre will remove your personal data from the Student Services Portal.
How to object to Careers & Enterprise processing your personal data:
Individuals have the right to object to Careers & Enterprise processing their personal data for any or all of the purposes set out in this Privacy Notice; they may do so at any time. To exercise this right, please email email@example.com.
Visitors to our websites/webpages:
When someone visits www.dur.ac.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be transparent about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
A cookie is a simple text file that is stored on your computer or mobile device by a website's server and only that server will be able to retrieve or read the contents of that cookie. Cookies allow websites to remember user preferences, choices and selections, such as what's in your shopping basket. Durham University also make use of the Google Analytics service to understand how you navigate around our site.
Links to other websites:
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Changes to this privacy notice:
We regularly review our privacy information to ensure that it remains accurate and current. We will review and update this privacy information whenever we plan to use personal data for any new purpose. Any changes to this privacy information will be communicated to you.
If you have any questions which you feel have not been covered by this Privacy Notice, please email us or write to:
Information Governance Unit
Telephone: (0191 33) 46246 or 46103